Usage Control in
Cloud Systems
Paolo Mori
Istituto di Informatica e Telematica Consiglio Nazionale delle Ricerche
Agenda
●
Examples of usage of Cloud services
●Usage Control Model
●
Policy Language
●
Authorization system architecture
●
Integration with OpenNebula and CONTRAIL
Cloud Security
●
Most of the well-known security issues of IT
systems are still valid in the Cloud
●
New security issues due to Cloud peculiarities
–
Users
–
Cloud services providers
●
Reports on Cloud Security
–
CSA
–
NIST
–
ENISA
Examples of usage of IaaS Cloud
●
A researcher creates a new Virtual Machine to
manage the SVN of each new project he starts
●
NESSoS project users create a new Virtual
Machine on the NESSoS Cloud Execution
Environment to develope their applications
using NESSoS Eclipse development tools
Examples of usage of IaaS Cloud
●
A researcher creates a new Virtual Machine to
manage the SVN of each new project he starts
–
1 – 3 years
●
NESSoS project users create a new Virtual
Machine on the NESSoS Cloud Execution
Environment to develope their applications
using NESSoS Eclipse development tools
–
6 months
lon
g l
as
tin
g
ac
ce
ss
es
Other examples of Cloud usage
●
CONTRAIL project use cases:
–
Distributed Provisioning of Geo-referentiated
Data
–
Multimedia Processing Service MarketPlace
–
Real-Time Scientific Data Analysis
–
Electronic Drug Discovery
lon
g l
as
tin
g
ac
ce
IaaS Cloud Accesses
VM usage Time Time Start VM Stop VM IMG usageAuthorization of
Defined by R. Sandhu et. al.
– The UCON Usage Control Model. ACM Trans. on Information and System Security, 7(1), 2004
– Formal Model and Policy Specification of Usage Control. ACM Trans. on Information and System Security, 8(4), 2005
– Towards a Usage-Based Security Framework for Collaborative Computing Systems. ACM Trans. on Information and System Security, 11(1), 2008
– ...
Main novelties
– New decision factors: Obligations and Conditions
– Mutability of Attributes Continuity of Policy Enforcement
Defined by R. Sandhu et. al.
– The UCON Usage Control Model. ACM Trans. on Information and System Security, 7(1), 2004
– Formal Model and Policy Specification of Usage Control. ACM Trans. on Information and System Security, 8(4), 2005
– Towards a Usage-Based Security Framework for Collaborative Computing Systems. ACM Trans. on Information and System Security, 11(1), 2008
– ...
Main novelties
– New decision factors: Obligations and Conditions
– Mutability of Attributes Continuity of Policy Enforcement
Change their value frequently, as a consequence of the decision process
Paired with users and resources
Examples:
Reputation of users: changes as a consequence of the accesses performed by the user
Workload of systems: changes when new applications are started and when running applications are terminated
The decisions process is done continuously (OnGoing decision) while the access right is exercised, and the access is interrupted when the right does not hold any more
Examples:
OnGoing Authorization: the right of accessing a resource is granted as long as the reputation of the user is GOOD.
OnGoing Obligation: the right of accessing a resource is granted
as long as the user keeps an advertisement window opened.
Before usage Before usage Pre decision Pre decision Pre update Pre update Usage
Usage After usageAfter usage
Ongoing update
Ongoing update Post updatePost update
Mutability of attributes Ongoing decision Ongoing decision
Time
Time
Decision Decision Usage Usage Attr. update Attr. updateAccess VS Usage Control
Continuity of decision
request
request endend
Access
Before usage Before usage Pre decision Pre decision Pre update Pre update Usage
Usage After usageAfter usage
Ongoing update
Ongoing update Post updatePost update
Mutability of attributes Ongoing decision Ongoing decision
Time
Time
Traditional Access Control Decision Decision Usage Usage Attr. update Attr. updateAccess VS Usage Control
Continuity of decision
request
request endend
Access
Before usage Before usage Pre decision Pre decision Pre update Pre update Usage
Usage After usageAfter usage
Ongoing update
Ongoing update Post updatePost update
Mutability of attributes Ongoing decision Ongoing decision
Time
Time
Decision Decision Usage Usage Attr. update Attr. updateAccess VS Usage Control
Continuity of decision
request
request
Access
Access beginbegin
• Accesses to some resources are long-lasting (hours, days,..) – e.g., Virtual Machines in IaaS model
• The factors that granted the access when it was requested could change while the access is in progress
– User's reputation could decrease
– Workload of resources could change – ...
• The policy should be re-evaluated every time factors change – An access that is in progress could be interrupted
Example of Usage Control Policies
In natural language:
●
Users with role “RegisteredUser” can run Virtual
Machines
as long as
their reputation is equal or
higher than GOOD
●
Users with role “Guest” can run Virtual Machines
as
long as
the overall workload is lower than HIGH and
their reputation is equal to VERYGOOD
UCON XACML Security Policy Language
• XACML is a widely used standard for expressing security
policies
– NIST recommends its use for authorization in Cloud
• We extended XACML to implement UCON features:
– Attributes update
– Continuous control
• Preliminary work:
– A proposal on enhancing XACML with continuous usage
control features. CoreGrid ERCIM WG Workshop on
XACML Reference Architecture
Context handler
PDP
PIP
Access Control System
PAP
access req permit/deny
PEPPEP PEP
Usage Control System
• Extension of the XACML reference architecture
to deal with continuous policy enforcement:
– PEPs intercept END of accesses (besides access
requests)
– Session Manager (new component) keeps trace of
accesses in progress
– PIP monitors mutable attributes
• Triggers the re-evaluation of the security policy
Usage Control System Architecture
Context handler
PDP
PIP
Usage Control System
PAP Session Manager try access permit/deny revoke access end access PEPPEP PEP
Prototypes
1)Extension of authorization
support
– Resources: VMs
2)CONTRAIL project: integration with Cloud
Federation manager
– Resources: applications (set of VMs running on
distinct Cloud providers)
Integration with OpenNebula
PEP Context handler PDP PIPUsage Control System
PAP PEP Session Manager Authz Driver Hook Manager PEP Core
●
Design, implement, validate and promote an open
source software stack for Cloud federations
●
Develop a comprehensive Cloud platform integrating
a full IaaS and PaaS offer
●
Advanced SLA management
●
Advanced security support
–
Federated authentication
Usage Control System Performance
●
Ongoing accesses revocation
0 200 400 600 800 1000 1200 1400 1600 0 10 20 30 40 50 60 70 80 90 100 T im e (m s) Number of providers 10 resources per provider
Papers
● A. Lazouski, G. Mancini F. Martinelli, P. Mori: Usage Control in Cloud
Systems. In Procedings of The 3rd International workshop on Cloud Applications and Security (CAS’12), IEEE Computer Society (2012)
● A. Lazouski, F. Martinelli, P. Mori: A Prototype for Enforcing Usage Control
Policies Based on XACML. In Proceedings of the 9th International
Conference on Trust, Privacy and Security in Digital Business (TrustBus'12), LNCS 7449, Springer (2012)
● L. Krautsevich, A. Lazouski, F. Martinelli, P. Mori, A. Yautsiukhin: Integration
of Quantitative Methods for Risk Evaluation within Usage Control Policies. In Procedings of International Conference on Computer Communications and Networks (ICCCN2013) (2013)
EU Projects
●
Network of Excellence on
Engineering Secure Future Internet
Software Service and System
–
Oct 2010 – apr 2014
●
Open Computing Infrastructures for
elastic Services
–
Oct 2010 – feb 2014
●
Confidential and Compliant Clouds
Thank you!!
[email protected]
Istituto di Informatica e Telematica Consiglio Nazionale delle Ricerche